exploit the possibilities

Revive Adserver 3.2.1 CSRF / XSS / Local File Inclusion

Revive Adserver 3.2.1 CSRF / XSS / Local File Inclusion
Posted Oct 7, 2015
Authored by Matteo Beccati

Revive Adserver versions 3.2.1 and below suffer from improper access controls, cross site request forgery, cross site scripting, local file inclusion, and various other vulnerabilities.

tags | advisory, local, vulnerability, xss, file inclusion, csrf
advisories | CVE-2015-7364, CVE-2015-7365, CVE-2015-7366, CVE-2015-7367, CVE-2015-7368, CVE-2015-7369, CVE-2015-7370, CVE-2015-7371, CVE-2015-7372, CVE-2015-7373
MD5 | 2a60163ddac5f6416bc4056329560ba9

Revive Adserver 3.2.1 CSRF / XSS / Local File Inclusion

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

========================================================================
Revive Adserver Security Advisory REVIVE-SA-2015-001
========================================================================
http://www.revive-adserver.com/security/revive-sa-2015-001
========================================================================
CVE-IDs: CVE-2015-7364, CVE-2015-7365, CVE-2015-7366,
CVE-2015-7367, CVE-2015-7368, CVE-2015-7369,
CVE-2015-7370, CVE-2015-7371, CVE-2015-7372,
CVE-2015-7373
Date: 2015-10-07
Risk Level: Medium
Applications affected: Revive Adserver
Versions affected: <= 3.2.1
Versions not affected: >= 3.2.2
Website: http://www.revive-adserver.com/
========================================================================


========================================================================
Vulnerability 1 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: CVE-2015-7364
CWE-ID: CWE-352
CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
========================================================================

Abdullah Hussam Gazi discovered that the CSRF protection mechanism
introduced a few years ago to secure the forms generated with the
HTML_Quickform library (most of the forms in Revive Adserver's admin
UI) could be easily bypassed by sending an empty token along with the
POST data. The range of malicious actions includes, but is not limited
to, modifying entities like banners and zones and altering preferences
and settings.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7364
http://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/288f81cc


========================================================================
Vulnerability 2 - Reflected XSS
========================================================================
CVE-ID: CVE-2015-7365
CWE-ID: CWE-79
CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
========================================================================

Abdullah Hussam Gazi has discovered that the plugin upgrade form was
not properly escaping filenames before displaying them when uploading
a file containing errors. Exploiting the vulnerability required a
specifically crafted multipart POST message.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7365
http://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/b5848808


========================================================================
Vulnerability 3 - Cross-Site Request Forgery (CSRF)
========================================================================
CVE-ID: CVE-2015-7366
CWE-ID: CWE-532
CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
========================================================================

N B Sri Harsha has discovered that some plugin actions (e.g. enabling,
disabling) could be performed via GET without any CSRF protection
mechanism. Successful CSRF attacks could potentially lead to service
disruptions in the case of core plugins being disabled. He also
discovered that the account-user-*.php scripts were not checking the
CSRF token sent via POST, allowing minor attacks, such as changing the
victim's contact name and language.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7366
http://cwe.mitre.org/data/definitions/352.html
https://github.com/revive-adserver/revive-adserver/commit/13d8181f


========================================================================
Vulnerability 4 - Improper Access Control
========================================================================
CVE-ID: CVE-2015-7367
CWE-ID: CWE-284
CVSSv2: 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P)
========================================================================

N B Sri Harsha discovered that deleting or unlinking users with an
active session didn't have any effect until the session was expired,
potentially allowing the users to perform undesired actions while such
sessions were still active.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7367
http://cwe.mitre.org/data/definitions/284.html
https://github.com/revive-adserver/revive-adserver/commit/ccbd1cc5


========================================================================
Vulnerability 5 - Information Exposure Through Browser Caching
========================================================================
CVE-ID: CVE-2015-7368
CWE-ID: CWE-525
CVSSv2: 2.1 (AV:L/AC:L/Au:N/C:P/I:N/A:N)
========================================================================

N B Sri Harsha has discovered that the cached copies of pages visited
in Revive Adserver's admin UI were still reachable via the browser
history after successfully logging out. This potentially allowed
exposuse of sensitive information to unauthorised parties.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7368
http://cwe.mitre.org/data/definitions/525.html
https://github.com/revive-adserver/revive-adserver/commit/15aac363
https://github.com/revive-adserver/revive-adserver/commit/c76f675d


========================================================================
Vulnerability 6 - Overly Permissive Cross-domain Whitelist
========================================================================
CVE-ID: CVE-2015-7369
CWE-ID: CWE-942
CVSSv2: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
========================================================================

Sergey Markov has reported that the crossdomain.xml files shipped with
Revive Adserver are overly permissive. On a default installation they
could in fact be exploited with malicious intents, e.g. to steal
session cookies.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7369
http://cwe.mitre.org/data/definitions/942.html
https://github.com/revive-adserver/revive-adserver/commit/4be0aa55


========================================================================
Vulnerability 7 - Reflected XSS
========================================================================
CVE-ID: CVE-2015-7370
CWE-ID: CWE-79
CVSSv2: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
========================================================================

Sergey Markov has discovered that the open-flash-chart.swf file, used
by the VideoAds plugin in Revive Adserver, was vulnerable to reflected
XSS attacks on the id and data-file parameters. This file was included
via the third party LGPLv2 graphing library, Open Flash Chart 2, which
appears to be currently unmaintained. The Revive Adserver team has
therefore decided to fix the vulnerabilities that had been reported
and to publish a github repository for the library, containing its
history and the vulnerability fixes, for the benefit of everyone else
using it:

https://github.com/revive-adserver/open-flash-chart

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7370
http://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/202eb15c
https://github.com/revive-adserver/revive-adserver/commit/e9cda5a4
https://github.com/revive-adserver/open-flash-chart/commit/0a181c56


========================================================================
Vulnerability 8 - Improper Access Control
========================================================================
CVE-ID: CVE-2015-7371
CWE-ID: CWE-284
CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
========================================================================

Krzysztof K. Wasielewski reported that run-mpe.php, a script used by
the admin UI to asynchronously trigger a run of the Maintenance
Priority Engine when necessary, was lacking proper authentication and
access control and could therefore be called by any third party.
Running maintenance is a resource intensive task, although a locking
mechanism prevents it from being run multiple times concurrently;
thus, run-mpe.php cannot be used alone for a resource exhaustion attack.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7371
http://cwe.mitre.org/data/definitions/284.html
https://github.com/revive-adserver/revive-adserver/commit/12cefa6f


========================================================================
Vulnerability 9 - Local File Inclusion
========================================================================
CVE-ID: CVE-2015-7372
CWE-ID: CWE-98
CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
========================================================================

Krzysztof K. Wasielewski reported that the layerstyle parameter in
al.php was not properly sanitized, causing a potential LFI
vulnerability. Under normal circumstances, an attacker would need to
place a file named layerstyle.inc.php in an arbitrary directory on the
server and craft the layerstyle parameter accordingly to load it. If
an old version of PHP is being used the server, other attack
techniques might be possible, e.g. NULL-byte truncation.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7372
http://cwe.mitre.org/data/definitions/98.html
https://github.com/revive-adserver/revive-adserver/commit/86b623f8
https://github.com/revive-adserver/revive-adserver/commit/c76f675d


========================================================================
Vulnerability 10 - Reflected XSS (Cross-site scripting)
========================================================================
CVE-ID: CVE-2015-7373
CWE-ID: CWE-79
CVSSv2: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
========================================================================

A feature called "magic-macros" in Revive Adserver allows dynamic data
to be displayed in the banner output. There is a predefined set of
such macros (e.g. {random}, {clickurl}, etc.), but the feature also
allows the display of arbitrary GET parameters. A user reported that
the values coming from GET parameters were not properly escaped before
being displayed, thus making banners using such magic-macros a
potential vector for XSS attacks.

References
==========
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7373
http://cwe.mitre.org/data/definitions/79.html
https://github.com/revive-adserver/revive-adserver/commit/c40abff6
https://github.com/revive-adserver/revive-adserver/commit/c76f675d


========================================================================
Solution
========================================================================

We strongly advise people to upgrade to the most recent 3.2.2 release
of Revive Adserver, including those running OpenX Source or older
versions of the application.


========================================================================
Contact Information
========================================================================

The security contact for Revive Adserver can be reached at:
<security AT revive-adserver DOT com>.

Please review http://www.revive-adserver.com/security/ before doing so.


- --
Matteo Beccati
On behalf of the Revive Adserver Team
http://www.revive-adserver.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWFRLgAAoJEHlDnsQiEkAuOBgP/2IgkP38ImnuYPPI5XvOh9MY
cU58ZRg7kNcmhTljuX2k53Pm5hDjaYJyGXHPe2vjscTavWDmBlfugd5l8d0qDrHD
VptB+ItlMvynhaBU18P/EeKL/cJ8xZh7k0NpGJbW7An2ZbCp2c238QBcces/BfDH
2monCBCifZkT0lLsEIQMaVU84Cj3WR5jFOR3+aK+JZ4vk7FvZ1Vc1Fl8FvkZMSVy
RAGlRsnHTga2Yw4k8Lcg6dYynSZt34x85VUXiUHISN7O8vnJq0LPDfdQy0CYKhzO
p/Ffj75KX78qwdEf/kvz57LrkGXnw5fbkrlpysIun5NRhmgaY25t5KS/jovjdKdO
wf0eScDTKJG1VJngIWQVJc2din7dYNJkD53Sl28HOm37BeZJ/adAZl68vU0KJFe9
T62YzbHlsQnmScdZELv/CWdbbCxJIy+5XQKYDUuXPPA9sz6HlYmMg2CE4MsD/Ns9
Dzgd1DI2Y1GRN0u4SWG+GSYf63IWPg/taQSkztHdzxTCoRHVWWoCiDRK8lnM7+7M
10U1ZSX8kalQx/eUpsSDsS7W3HZlCuj/F/ZAu5GUqnmfjgxC1Hx0vDsei3zKCfpC
xgIOfXbGF1K+DwQAhMpjIq24++m3/HhlEw+JC8KF5nk2AF2cP5V8svq1Lcn6nNas
xoKaYisRwrRzEyFVEtt+
=8xHk
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close